Opened 7 years ago
Closed 6 years ago
#27863 closed New feature (fixed)
Implement "SameSite" flag for session and CSRF cookies
| Reported by: | Alex Gaynor | Owned by: | Paweł Krawczyk |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
SameSite is a mechanism for telling browsers not to send a cookie on requests with a different origin. It's not yet widely supported to the point of being the only CSRF protection (http://caniuse.com/#feat=same-site-cookie-attribute), but at 50% global deployment, it'd be very useful for Defense in Depth.
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
I believe simply adding SameSite=lax to the session cookie is all that'd be required to get this protection, and I don't think there'd be any backwards compatibility concerns (<---- almost certainly not this simple).
Change History (7)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
This can be implemented in HttpResponse.set_cookie() alone. I have just sent a pull-request on GitHub for that.
comment:4 by , 7 years ago
| Version: | 1.10 → master |
|---|
comment:5 by , 7 years ago
| Component: | contrib.sessions → HTTP handling |
|---|---|
| Needs documentation: | set |
| Needs tests: | set |
| Patch needs improvement: | set |
| Summary: | Implement "SameSite" flag for session cookies → Implement "SameSite" flag for session and CSRF cookies |
comment:6 by , 6 years ago
| Needs documentation: | unset |
|---|---|
| Needs tests: | unset |
New PR (still needs some work)
Note: this requires a change to the stdlib
cookiesmodule: https://github.com/python/cpython/pull/214 I suspect with some hackery this can be worked around in Django though.